Bug 1201279 - (CVE-2022-33980) VUL-0: CVE-2022-33980: apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults
(CVE-2022-33980)
VUL-0: CVE-2022-33980: apache-commons-configuration: Apache Commons Configura...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/336326/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-07 09:11 UTC by Hu
Modified: 2022-07-07 09:11 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-07-07 09:11:00 UTC
CVE-2022-33980

Apache Commons Configuration performs variable interpolation, allowing
properties to be dynamically evaluated and expanded. The standard format for
interpolation is "${prefix:name}", where "prefix" is used to locate an instance
of org.apache.commons.configuration2.interpol.Lookup that performs the
interpolation. Starting with version 2.4 and continuing through 2.7, the set of
default Lookup instances included interpolators that could result in arbitrary
code execution or contact with remote servers. These lookups are: - "script" -
execute expressions using the JVM script execution engine (javax.script) - "dns"
- resolve dns records - "url" - load values from urls, including from remote
servers Applications using the interpolation defaults in the affected versions
may be vulnerable to remote code execution or unintentional contact with remote
servers if untrusted configuration values are used. Users are recommended to
upgrade to Apache Commons Configuration 2.8.0, which disables the problematic
interpolators by default.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33980
https://seclists.org/oss-sec/2022/q3/29
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33980
https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
Comment 1 Hu 2022-07-07 09:11:32 UTC
Closing, not Affected:
- SUSE:SLE-15-SP2:Update/apache-commons-configuration  1.10
- openSUSE:Factory/apache-commons-configuration        1.10